FreeRADIUS is a fully GPLed RADIUS server implementation. It supports a wide range of authentication mechanisms, but PEAP is used for the example in this document.
Procedure 1. Installing FreeRADIUS
Head over to the FreeRADIUS site, http://www.freeradius.org/, and download the latest release.
#cd /usr/local/src#wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz#tar zxfv freeradius-1.0.0.tar.gz#cd freeradius-1.0.0
Configure, make and install:
# ./configure
# make
# make install
You can pass options to configure. Use ./configure --help or read the README file, for more information.
The binaries are installed in /usr/local/bin and
/usr/local/sbin. The configuration files are found
under /usr/local/etc/raddb.
If something went wrong, check the INSTALL and
README included with the source. The RADIUS FAQ also contains
valuable information.
FreeRADIUS has a big and mighty
configuration file. It's so big, it has been split into several
smaller files that are just “included” into the main
radius.conf file.
There is numerous ways of using and setting up FreeRADIUS to do
what you want: i.e., fetch user information from LDAP, SQL, PDC,
Kerberos, etc. In this document, user information from a plain text
file, users, is used.
The configuration files are thoroughly commented, and, if that is not
enough, the doc/ folder that comes with the source
contains additional information.
Procedure 2. Configuring FreeRADIUS
The configuration files can be found under /usr/local/etc/raddb/
# cd /usr/local/etc/raddb/
Open the main configuration file radiusd.conf,
and read the comments! Inside the encrypted
PEAP tunnel, an MS-CHAPv2 authentication mechanism is used.
MPPE [RFC3078] is responsible for sending the PMK to the AP. Make sure the following settings are set:
# under MODULES, make sure mschap is uncommented!
mschap {
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally, should be MS-CHAP
authtype = MS-CHAP
# if use_mppe is not set to no, mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
use_mppe = yes
# if mppe is enabled, require_encryption makes
# encryption moderate
#
require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
require_strong = yes
authtype = MS-CHAP
# The module can perform authentication itself, OR
# use a Windows Domain Controller. See the radius.conf file
# for how to do this.
}
Also make sure the “authorize” and “authenticate” contains:
authorize {
preprocess
mschap
suffix
eap
files
}
authenticate {
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# Allow EAP authentication.
eap
}
Then, change the clients.conf file to specify
what network it's serving:
# Here, we specify which network we're serving
client 192.168.0.0/16 {
# This is the shared secret between the Authenticator (the
# access point) and the Authentication Server (RADIUS).
secret = SharedSecret99
shortname = testnet
}
The eap.conf should also be pretty
straightforward.
Set “default_eap_type” to “peap”:
default_eap_type = peap
Since PEAP is using TLS, the TLS section must contain:
tls {
# The private key password
private_key_password = SecretKeyPass77
# The private key
private_key_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
}
Find the “peap” section, and make sure it contain the following:
peap {
# The tunneled EAP session needs a default
# EAP type, which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
}
The user information is stored in a plain text file
users. A more sophisticated solution to store
user information may be preferred (SQL, LDAP, PDC, etc.).
Make sure the users file contains the
following entry:
"testuser" User-Password == "Secret149"